Tag Archives: plain text

I don’t normally blog about this, so please excuse the following rant. As a public service, I search for “plain text” on twitter to find people complaining about sites storing user passwords in plain text. I noticed some people complaining about Call of Duty Elite – an official site for the Call of Duty: Modern Warfare series players from Activision – about their passwords being stored as plain text.

I decided to sign up to the website myself, in order to see for myself the “Forgot password” email that contained my plain text passwords. Below are my experiences:

I started by going to the Call of Duty Elite website and pressing “Join up for free” in the middle of the page. I was taken to a screen where I was prompted to either sign in with my Facebook account, or using a traditional sign up. I’m somewhat reluctant to authenticate with my Facebook account, because sites usually tend to ask for much more information from Facebook that they really require (I prefer using Twitter authentication for this, if available). Besides, my real reason was to register a bogus profile just for the sake of the password recovery email.

I proceeded putting up my email address, password, first and last names, all of which were visually validated. I then tried to select my country. When I clicked the “Select a country” combo box, I was presented with this:

Not only did the list not contain my country (Israel), it was completely unsorted and did not accept keyboard input to quickly lookup the county! This is already a major WTF, since the game is available worldwide, and lots of the countries are missing, but the list is unsorted, something that visually prevents quickly scanning for your country in the logical (alphabetical) location.

I selected a random country at this point, and entered a random date of birth below. I proceeded to click Next, and was presented with the following message:

Can you tell me from looking at this what went wrong? I couldn’t. It took me a while, then I noticed that the title of the page was “Age gate failed”, which led me to understand that I must’ve entered a wrong year (nowhere did it say that I must be at least X years old to sign up). I tried clicking “Back” to get to the signup page, and to my surprise I was redirected back to the “Age gate failed” page.

See what they did there? The Call of Duty Elite website had planted a cookie in my browser, preventing me to go back and enter another date! I thought we were done with this sort of behavior back in early 2000. How very clever, Activision!

So after deleting the cookies, and filling the information again using “correct” bogus data, I was able to sign up, get a verification email, and then finally go to the login page. Once I got there, I clicked “Forgot password”, and the following arrived to my email account:

I was speechless! Not only did it contain my password in plain text, as expected, can you see the little {0} placeholder instead of the sender’s name? I seriously did not expect a multi-billion dollar corporation to deliver such a low-quality service.

Bottom line: if you’re using the website, make sure you change your password to something else. Being a high valued target for hackers, I believe it’s only a matter of time before the “Sony hacking” history repeats itself.

Sometime ago my friend @omervk and myself created Plain Text Offenders – a wall of shame for websites that store and email your own password to you in plaintext. I didn’t expect this kind of explosion – hundreds of submissions already posted and dozens of new ones arriving every day!

In the worst security breach in Gawker Media history, a 500mb file containing Gawker’s source code, and employee passwords was released to the internet, compromising email addresses and passwords of hundreds of thousands of users.

Studies show that over 30% of sites store our passwords in plain-text in their database.